Bug 987739

Summary: [abrt] libwebkit2gtk-2.0.3-2.fc19: WTF::OwnArrayPtr<JSC::WriteBarrier<JSC::Unknown> >::UnspecifiedBoolType: Process /usr/libexec/WebKitWebProcess was killed by signal 11 (SIGSEGV)
Product: [Fedora] Fedora Reporter: Michael Catanzaro <mcatanzaro+wrong-account-do-not-cc>
Component: webkitgtk3Assignee: Matthias Clasen <mclasen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: fedora, kalevlember, mclasen, tpopela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:694cc9e5b86b40435693a68efce98122f2ae7a8a
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-04 00:34:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: limits
none
File: maps none

Description Michael Catanzaro 2013-07-24 03:57:20 UTC 
Description of problem:
A WebKit crash that's actually reproducible!  Just visit www.google.com/trends

Looks like it's probably a problem with the JavaScriptCore.

Version-Release number of selected component:
libwebkit2gtk-2.0.3-2.fc19

Additional info:
reporter:       libreport-2.1.5
backtrace_rating: 4
cmdline:        /usr/libexec/WebKitWebProcess 14
crash_function: WTF::OwnArrayPtr<JSC::WriteBarrier<JSC::Unknown> >::UnspecifiedBoolType
executable:     /usr/libexec/WebKitWebProcess
kernel:         3.9.9-302.fc19.x86_64
runlevel:       N 5
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 operator WTF::OwnArrayPtr<JSC::WriteBarrier<JSC::Unknown> >::UnspecifiedBoolType at Source/WTF/wtf/OwnArrayPtr.h:67
 #1 isTornOff at Source/JavaScriptCore/runtime/Arguments.h:84
 #2 JSC::Arguments::tearOff at Source/JavaScriptCore/runtime/Arguments.cpp:333
 #3 JSC::Interpreter::unwindCallFrame at Source/JavaScriptCore/interpreter/Interpreter.cpp:501
 #4 JSC::Interpreter::throwException at Source/JavaScriptCore/interpreter/Interpreter.cpp:779
 #5 JSC::genericThrow at Source/JavaScriptCore/jit/JITExceptions.cpp:45
 #6 JSC::LLInt::returnToThrow at Source/JavaScriptCore/llint/LLIntExceptions.cpp:76
 #7 JSC::LLInt::llint_slow_path_throw at Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1622
 #8 llint_op_throw at /lib64/libjavascriptcoregtk-3.0.so.0
 #9 ??
Comment 1 Michael Catanzaro 2013-07-24 03:57:27 UTC 
Created attachment 777557 [details]
File: backtrace
Comment 2 Michael Catanzaro 2013-07-24 03:57:30 UTC 
Created attachment 777558 [details]
File: cgroup
Comment 3 Michael Catanzaro 2013-07-24 03:57:33 UTC 
Created attachment 777559 [details]
File: core_backtrace
Comment 4 Michael Catanzaro 2013-07-24 03:57:38 UTC 
Created attachment 777560 [details]
File: dso_list
Comment 5 Michael Catanzaro 2013-07-24 03:57:43 UTC 
Created attachment 777561 [details]
File: environ
Comment 6 Michael Catanzaro 2013-07-24 03:57:55 UTC 
Created attachment 777562 [details]
File: limits
Comment 7 Michael Catanzaro 2013-07-24 03:58:31 UTC 
Created attachment 777563 [details]
File: maps
Comment 8 Ben Boeckel 2013-07-24 04:14:19 UTC 
I can't reproduce this with WebKit1 in Rawhide. WebKit2 does indeed crash for me, but for unrelated reasons it seems. Still digging.
Comment 9 Ben Boeckel 2013-07-24 04:42:27 UTC 
FWIW, it works in valgrind with WebKit2, so that makes me think it's memory corruption of some sort. gdb and vanilla running is giving me junk in uzbl, so I don't know what happens normally.

This is also webkitgtk3-2.1.3-1.fc20.x86_64.
Comment 10 Ben Boeckel 2013-07-24 05:15:58 UTC 
Okay, so clicking any of the links makes WebKit1 crash with the backtrace below; clicking in Rawhide's WebKit2 is fine.

@Michael: Could you try out Rawhide; it seems that this page is chock full of test cases :) .

#0  WebCore::FrameLoader::dispatchDidCommitLoad (this=0x7fd8a0d3c3b0) at Source/WebCore/loader/FrameLoader.cpp:3305
#1  0x00007fd909b96770 in WebCore::FrameLoader::receivedFirstData (this=0x7fd8a0d3c3b0) at Source/WebCore/loader/FrameLoader.cpp:614
#2  0x00007fd909b82208 in WebCore::DocumentLoader::commitData (this=this@entry=0x7fd89f08b000, 
    bytes=bytes@entry=0x7fd8a6362600 "<!doctype html><html itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"><head><meta itemprop=\"image\" content=\"/images/google_favicon_128.png\"><title>Carlos Danger - Google Search</title><scrip"..., length=length@entry=512)
    at Source/WebCore/loader/DocumentLoader.cpp:783
#3  0x00007fd90949bcf6 in WebKit::FrameLoaderClient::committedLoad (this=0x10bf000, loader=0x7fd89f08b000, 
    data=0x7fd8a6362600 "<!doctype html><html itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"><head><meta itemprop=\"image\" content=\"/images/google_favicon_128.png\"><title>Carlos Danger - Google Search</title><scrip"..., length=512) at Source/WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:165
#4  0x00007fd909b827c7 in WebCore::DocumentLoader::commitLoad (this=0x7fd89f08b000, 
    data=0x7fd8a6362600 "<!doctype html><html itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"><head><meta itemprop=\"image\" content=\"/images/google_favicon_128.png\"><title>Carlos Danger - Google Search</title><scrip"..., length=512) at Source/WebCore/loader/DocumentLoader.cpp:740
#5  0x00007fd909b66ce3 in WebCore::CachedRawResource::notifyClientsDataWasReceived (this=this@entry=0x7fd8a0d45c00, 
    data=data@entry=0x7fd8a6362600 "<!doctype html><html itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"><head><meta itemprop=\"image\" content=\"/images/google_favicon_128.png\"><title>Carlos Danger - Google Search</title><scrip"..., length=512) at Source/WebCore/loader/cache/CachedRawResource.cpp:110
#6  0x00007fd909b66e99 in WebCore::CachedRawResource::addDataBuffer (this=0x7fd8a0d45c00, data=0x7fd89dd6ea98) at Source/WebCore/loader/cache/CachedRawResource.cpp:66
#7  0x00007fd909bd67e3 in WebCore::SubresourceLoader::didReceiveDataOrBuffer (this=0x7fd8a0d45800, 
    data=0xfac330 "<!doctype html><html itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"><head><meta itemprop=\"image\" content=\"/images/google_favicon_128.png\"><title>Carlos Danger - Google Search</title><scrip"..., length=512, prpBuffer=..., encodedDataLength=<optimized out>, 
    dataPayloadType=<optimized out>) at Source/WebCore/loader/SubresourceLoader.cpp:250
#8  0x00007fd909bd693b in WebCore::SubresourceLoader::didReceiveData (this=<optimized out>, data=<optimized out>, length=<optimized out>, encodedDataLength=<optimized out>, dataPayloadType=<optimized out>) at Source/WebCore/loader/SubresourceLoader.cpp:226
#9  0x00007fd909bcbdcc in WebCore::ResourceLoader::didReceiveData (this=0x7fd8a0d45800, data=0xfac330 "<!doctype html><html itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"><head><meta itemprop=\"image\" content=\"/images/google_favicon_128.png\"><title>Carlos Danger - Google Search</title><scrip"..., 
    length=512, encodedDataLength=512) at Source/WebCore/loader/ResourceLoader.cpp:475
#10 0x00007fd90a2eb9f2 in WebCore::readCallback (asyncResult=<optimized out>, data=0x7fd8a0f22288) at Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1343
#11 0x00007fd906b3da16 in async_ready_callback_wrapper (source_object=0x11bda50, res=0x11a0e20, user_data=0x7fd8a0f22288) at ginputstream.c:519
#12 0x00007fd906b5fbf5 in g_task_return_now (task=0x11a0e20) at gtask.c:1108
#13 0x00007fd906b5fc19 in complete_in_idle_cb (task=0x11a0e20) at gtask.c:1117
#14 0x00007fd9063a5f26 in g_main_dispatch (context=0x8b1710) at gmain.c:3064
#15 g_main_context_dispatch (context=context@entry=0x8b1710) at gmain.c:3640
#16 0x00007fd9063a62a8 in g_main_context_iterate (context=0x8b1710, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3711
#17 0x00007fd9063a66ba in g_main_loop_run (loop=0xe46e30) at gmain.c:3905
#18 0x00007fd90834646d in gtk_main () at gtkmain.c:1157
#19 0x0000000000409ba7 in main (argc=2, argv=0x7fff65dc3bd8) at src/uzbl-core.c:297
Comment 11 Michael Catanzaro 2013-07-25 02:12:49 UTC 
(In reply to Ben Boeckel from comment #10)
> @Michael: Could you try out Rawhide; it seems that this page is chock full
> of test cases :) .

I'd rather not; I don't have rawhide installed, and as I'm not at all familiar with the massive WebKit codebase, I doubt I would be much help.
Comment 12 Ben Boeckel 2013-07-25 03:41:48 UTC 
What browser was this with? I might be able to poke it here.
Comment 13 Ben Boeckel 2013-07-25 03:55:16 UTC 
Alternatively, just do a "yum --enablerepo=rawhide upgrade webkitgtk*"
Comment 14 Michael Catanzaro 2013-07-25 12:41:45 UTC 
(In reply to Ben Boeckel from comment #12)
> What browser was this with? I might be able to poke it here.

epiphany-3.8.2-1.fc19

(In reply to Ben Boeckel from comment #13)
> Alternatively, just do a "yum --enablerepo=rawhide upgrade webkitgtk*"

I'll make a VM soon to try rawhide in.
Comment 15 Ben Boeckel 2014-03-03 19:33:35 UTC 
Seems to work fine with WebKit2 + WebKit1 (the WebKit1 crash from comment #10 was an uzbl bug) as of version webkitgtk3-2.2.5-1.fc20.x86_64. Is epiphany happy with that version?
Comment 16 Michael Catanzaro 2014-03-03 23:46:51 UTC 
Yup, this seems to be fixed.